• Colin Walters's avatar
    CVE-2012-3524: Don't access environment variables or run dbus-launch when setuid · a52319bc
    Colin Walters authored
    This matches a corresponding change in GLib.  See
    glib/gutils.c:g_check_setuid().
    
    Some programs attempt to use libdbus when setuid; notably the X.org
    server is shipped in such a configuration. libdbus never had an
    explicit policy about its use in setuid programs.
    
    I'm not sure whether we should advertise such support.  However, given
    that there are real-world programs that do this currently, we can make
    them safer with not too much effort.
    
    Better to fix a problem caused by an interaction between two
    components in *both* places if possible.
    
    How to determine whether or not we're running in a privilege-escalated
    path is operating system specific.  Note that GTK+'s code to check
    euid versus uid worked historically on Unix, more modern systems have
    filesystem capabilities and SELinux domain transitions, neither of
    which are captured by the uid comparison.
    
    On Linux/glibc, the way this works is that the kernel sets an
    AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
    startup.  If found, then glibc sets a public-but-undocumented
    __libc_enable_secure variable which we can use.  Unfortunately, while
    it *previously* worked to check this variable, a combination of newer
    binutils and RPM break it:
    http://www.openwall.com/lists/owl-dev/2012/08/14/1
    
    
    
    So for now on Linux/glibc, we fall back to the historical Unix version
    until we get glibc fixed.
    
    On some BSD variants, there is a issetugid() function.  On other Unix
    variants, we fall back to what GTK+ has been doing.
    Reported-by: default avatarSebastian Krahmer <krahmer@suse.de>
    Signed-off-by: Colin Walters's avatarColin Walters <walters@verbum.org>
    a52319bc
dbus-sysdeps.h 20.2 KB